A destructive virus spread across the internet last week, infecting the networks of organizations around the world, including at least 37 National Health Service hospitals in Britain, and extracting more than $26,000 in ransom payments.
The virus has been contained for now, but questions remain. How could such a wide range of systems been so vulnerable, particularly at hospitals, where patient lives were at risk? Is something much worse on the way? And perhaps most pressing — who is to blame for one of the most widespread viruses this year?
This question triggered a philosophical debate in the computer security community, which has been struggling with how to contain malware for decades. Should the blame be placed on Microsoft, the creator of the software that had a vulnerability? The US government, which discovered the vulnerability that was used and then failed to secure it from being leaked to the public? The information technology departments at the hospitals and other organizations that were hit? The frightened users who pay ransom to hackers and therefore encourage such attacks?
Here is a summary of the arguments for each player’s share of the blame.
The National Security Agency
The NSA discovered an exploit in the way Microsoft implements what’s called Server Message Block, which helps computers on a network share physical hardware like printers or serial ports. That exploit, called ETERNALBLUE, may have been a useful hacking tool for NSA, but the NSA failed to protect this information from falling into unauthorized hands.
On April 8, a group of hackers called The Shadow Brokers posted the details of the exploit online.
How could so many systems been so vulnerable?
NSA losing control of its exploit was like the US military “having some of its Tomahawk missiles stolen,” Microsoft Chief Legal Officer Brad Smith wrote in a blog post. “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
The National Health Service and hospital IT departments
The National Health Service, Britain's socialized healthcare system, and its underfunded IT team may deserve some of the blame, too.
There was a security update available that would have protected against the virus, but hospitals just didn’t install it, or they were using machines that were so old they were no longer supported. The NHS also didn’t have the expensive extended service warranty sold by Microsoft, either, which would have covered a security patch for free — although it’s not clear whether NHS’s failure to update its software was due to the expense or the simple fact that healthcare systems are complex webs of disparate devices and software that must be all made compatible.
NHS and its member hospitals failed to protect patients. And given the fact that NHS had been hit more than a dozen timesby ransomware before, it definitely should have seen this threat coming.
Microsoft is the biggest single player in this crisis because its software, which runs so much of the world’s infrastructure, was the medium by which this virus traveled.
Microsoft sent out an update to protect Windows users from this exploit in March. The security patch was free for users considered part of the Windows support cycle as well as those that had purchased an extended support agreement.
The patch didn’t cover the older Windows XP system, however, which the company stopped supporting in 2014.
Millions of people still run Windows XP
Once the WannaCry attack started, Microsoft sent out the patch to all XP and Windows Server 2003 users for free.
This is how the software industry typically handles support. Once a system like XP gets too old, support gets deprecated, even if it’s still widely used. Millions of people still run Windows XP, according to Net Applications.
“Users were protected if they had applied the patches that were released, but with a catch: If an institution still used an older Microsoft operating system, it did not receive this patch unless it paid for an expensive ‘custom’ support agreement,” wrote Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, in an op-ed for The New York Times. “The cash-strapped National Health Service in Britain, which provides healthcare to more than 50 million people, and whose hospitals still use Windows XP widely, was not among those that signed up to purchase the custom support from Microsoft. They were out in the cold.”
“They were out in the cold.”
Microsoft is stuck between a rock and a hard place. Servicing old operating systems it isn’t making any money from is a tough business proposition. But a harsh reality of the world is that many essential industries, like healthcare, still depend on Windows XP. So if Microsoft wants to be a good corporate citizen, it shouldn’t withhold crucial security patches unless you pay a hefty service fee.
On a more practical note, it’s more effective for Microsoft to make a change rather than expecting many hospitals to upgrade their systems or governments in many countries to pass stricter security laws.
The hacker or hackers
This whole thing would never have happened if this person or people had the moral fiber to not shut down vital systems in exchange for ransom. You suck!